Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IMSI provided + null cipher analyzer #50

Merged
merged 5 commits into from
Jul 19, 2024
Merged

IMSI provided + null cipher analyzer #50

merged 5 commits into from
Jul 19, 2024

Conversation

wgreenberg
Copy link
Collaborator

@wgreenberg wgreenberg commented Jul 11, 2024
edited
Loading

Added analyzers for whenever the UE provides an IMSI at all, or when a null cipher was set. Also, because I was having trouble finding which messages contained the IMSI datatype, I wrote a little python script that'll parse and search for datatypes in our ASN.1 files, and print any hits as a "path". For example:

» python asn1grep.py IMSI                                  
searching for IMSI
PCCH-Message [message [message.c1 [c1 [c1.paging [paging [pagingRecordList[0] [ [ue-Identity [ue-Identity.imsi [IMSI]]]]]]]]]]

@wgreenberg
Add asn1grep tool
93cd21a 
Scrolling through the ASN.1 files for datatypes is a nightmare, so I
wrote a script to automate that
@wgreenberg
lib: add analyzer for detecting IMSIs being sent
8f7ac60
@wgreenberg wgreenberg requested a review from cooperq July 11, 2024 03:27
@wgreenberg wgreenberg changed the title IMSI provided analyzer IMSI provided + null cipher analyzer Jul 18, 2024
cooperq
cooperq reviewed Jul 19, 2024
View reviewed changes
lib/src/analysis/analyzer.rs
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it might be worth doing some metacoding eventually so new heuristics are automatically pulled in and we don't have to add this boiler plate. OTOH it might be more work to do that than just add the boilerplate each time.

lib/src/analysis/imsi_provided.rs
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not certain paging messages are the only place IMSI would get sent but it seems like a good start. I'm sure an LTE expert will correct us any day now.

Copy link

@ecen740tamu ecen740tamu Jul 22, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi Cooper and Will,
I am good with LTE/5G protocol stack, would you like to see the exhaustive list of all messages that carry IMSI? Sorry, this is Santosh, not ecen740

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ecen740tamu that would be greatly appreciated, thanks Santosh!

lib/src/analysis/null_cipher.rs
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should also look for the 2G null cipher but this is a good start

@cooperq cooperq merged commit af3e47a into main Jul 19, 2024
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ecen740tamu ecen740tamu ecen740tamu left review comments

@cooperq cooperq cooperq approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@wgreenberg @cooperq @ecen740tamu